ICANN Files Lawsuit to Clarify WHOIS Data Collection Under GDPR

ICANN filed a lawsuit in which it asks a German court for assistance in interpreting GDPR as it relates to WHOIS data collection.

On 25 May, the Internet Corporation for Assigned Names and Numbers (ICANN) announced it had filed legal action against EPAG, an ICANN-accredited registrar based in Germany that is part of the Tucows Group. It submitted the lawsuit after EPAG stopped collecting administrative and technical contact information for new domain name registrations presumably out of concern of violating the European Union’s General Data Protection Regulation (GDPR). ICANN said it requires this information as part of a contract with EPAG to sell generic top-level domain (gTLD) name registrations.

John Jeffrey, ICANN‘s General Counsel and Secretary, explained a press release that the purpose of the lawsuit is to clarify how WHOIS data collection should proceed going forward:

It is ICANN‘s public interest role to coordinate a decentralized global WHOIS for the generic top-level domain system. ICANN contractually requires the collection of data by over 2,500 registrars and registries who help ICANN maintain that global information resource. We appreciate that EPAG shared their plans with us when they did, so that we could move quickly to ask the German court for clarity on this important issue.

Since at least March, ICANN has been actively soliciting guidance from the European data protection authorities (“Article 29 Working Party”) on how to collect data for WHOIS records in accordance with GDPR. The nonprofit organization used these recommendations to craft an interim compliance model, which it eventually adopted as a Temporary Specification on 17 May 2018 to help address those concerns. This short-term framework specifies the collection of registrant, administrative and technical contact information but requires layered access for collecting personal data.

EPAG violated the Temporary Specification, ICANN argued in its lawsuit, as it failed to collect those pieces of information for gTLD name registrations.

In a statement, Tucows shared it too is hopeful the lawsuit will provide clarity:

ICANN and Tucows disagree on how the GDPR impacts our contract. The facts and the law as we see them do not support ICANN’s broader view of what will impact the security and stability of the internet. Neither do we find the purposes outlined in the temporary specification proportional to the risks and consequences of continuing to collect, process and display unnecessary data. We look forward to, and welcome the clarity that will come from this legal action.

For information on how Tripwire can help your organization achieve compliance with GDPR, click here.